Friday, July 31, 2009

It's handy to know how to send email using Telnet command, especially for debugging purpose.

FYI, many people out there do not even realize that emails are sent via tcp/ip port 25 protocol. They told me in order to test, they need a Outlook or Thunderbird client. Those are technical people. :)

Thursday, July 30, 2009

We wanted to evaluate Cisco IronPort Hosted Email Security, but they did not give us the chance. I was initially thrilled when I saw on their website "Try Before You Buy". I applied twice. No luck!

Our company policy is as such: Before we recommend a product to our customers, we'll evaluate internally first. The criteria is simple:

Product capability and suitability

Customer/Support service experience

Pricing

Notice that we are very particular about service experience before any recommendation is made. If the experience with the pre-sales or sales is no good, we do not even proceed further. We are always against spending money on vendors who do not give a dime on customer service experience.

Honestly speaking, there are far too many comparable products out there in the market. The ones that support our customers best, we'll stick our heads with them. (even if their pricing might be the highest)

Regarding your reseller application: Red Condor is not currently signing resellers in Asia. We are in the process of reviewing this decision and to approach partners throughout Asia as we are expanding internationally.

It's a matter of presence. Red Condor is a relatively young company with main focus in the US/Europe markets. I think it will take them a couple of years before they get serious with the booming Asia market.

Wednesday, July 29, 2009

I received an email today which reminded me of a discussion I had with my potential customer some time back. (OK, I received 3 emails in actual fact since I am not on Exchange and this person is not from the same company)

To know exactly how Message Recall works in Microsoft Exchange, read here.

Sometimes, it is very hard to convince customers that the feature(s) they are looking for are non-standard. And thus, even if deployed, they do not inter-operate well with other type of systems.

e.g. Sending an email from Microsoft Exchange to a recipient residing in Sun Messaging Server; then attempting to recall the sent mail. It's totally impossible to recall. The recipient will experience like what I did today - receive 3 emails instead!! (1 original non-intentional mail; 1 recall mail; 1 resent corrected mail)

There must be visibility of the messages that are quarantined, especially in a hosted security solution. Otherwise, customers do feel uneasy. (This is really a feedback from our customers)

And this is something we look out for in evaluating a good hosted security product. Our company offers OpenMail. It is a secure-hosted environment for corporate customers. Internally, we subscribe to Google Postini Service for our own domain. We allow our customers to choose any hosted security product of their choice, if they want to have that extra layer of protection.

What we like about Google Postini Service is a daily Quarantine Summary email which each of us will receive.

If any of us detects that a genuine email has been detained, a simple click on "Deliver" will instruct Postini to deliver that email to our mailbox. There is also a Message Center for each user to manage his/her own quarantined emails.

In TrendMicro IMHS, there is this very nice Quarantines Settings module. Initially, it was not enabled, so we did not receive any Quarantine Summary email. However, even after we enabled it, we still receive nothing from IMHS. (Is it because we are testing with Free Trial account? We do not know why.)

Even when we log in as Administrator, there is no quarantined message being displayed for a particular user account which, we know for sure, receive lots of spam each day.

Yes, this particular user account does receive lesser spam when IMHS is activated during the trial period. However, if the visibility is not there, customer will never feel at ease.

Tuesday, July 28, 2009

I received an email from my customer today. He suspected that I might have mis-configured his Sun Java Messaging Server.

The mail was enqueued at 21:50 yesterday and dequeued at 23:09. I received the mail at 23:09. In my email client, it shows the received time as 21:50, whereas I think it should show 23:09. Is there a way to change it?

In terms of look-and-feel, TrendMirco IMHS leaves a very good first impression.

Google Postini Service can never compete in terms of look-and-feel. Or rather, Google has never been bothered too much with slick design. They place their focus on functionalities instead.

For example, in IMHS, there is no way for administrator to know how many accounts he has created so far. I can understand that it's convenient for a CSV upload utility. It's helpful and most welcomed. However, after importing, there must be an intuitive way to show the list of imported users.

Google Postini Service's experience, again, is vastly different. A list of user accounts is shown distinctly. What's more? There is a way to adjust anti-spam for different categories (Sexually Explicit, Get Rich Quick, Special Offers, Racially Insensitive) at per-user level.

For each category filter, there is a way to set a base level (from Lenient to Aggressive).

Monday, July 27, 2009

The company I work for provides Corporate Email Hosting - OpenMail.SG. Customers are free to introduce another layer of anti-virus/anti-spam protection before their emails flow into our Sun Messaging Server.

We are almost done with evaluating the various technologies. We'll be posting a series of blogs highlighting what we like and what we do not like about certain products.

The first series iswhy we choose to drop TrendMicro IMHS (InterScan Messaging Hosted Security).

Registration is required for End-User Quarantine account. Why? Shouldn't the account be created by default?

TO ACCESS END USER QUARANTINE:

Spam email messages are deleted by default. For systems configured to quarantine spam email messages, each employee can create an End User Quarantine account to access their quarantined email messages and set up approved senders. Please provide your employees the instructions below and the End User Guide which can be downloaded from the IMHS console (see below).

1. Each employee can register an account using the IMHS WebEUQ Console at the following web page:

https://us.imhs-euq.trendmicro.com/

2. Click the "Create a new account" link on the login page.

3. Follow the on-screen instructions. After you submit your information, you will receive an email message verifying your new account with a username and password.

4. Change your password after your first log in.

We evaluated Google Postini Service as well. The experience is vastly different. Once an account has been set up and the very first spam/junk mail is captured, Postini will send a friendly email to the user of that account:

Dear userA@xxx.com.sg,

xxx.com.sg's new junk email protection service has quarantined its first suspected junk email message directed at you. Since you have not signed in at your personal xxx.com.sg Message Center, we are sending this notification informing you of the service's initial action. After this notification, we will begin the standard practice of sending notifications of quarantined messages on a regular basis.

You can inspect your suspicious email at:

http://login.postini.com/exec/login?email=userA@xxx.com.sg

Your temporary password is: XXXXXXX

Suspicious email is kept in your xxx.com.sg Message Center for 14 days, after which it will be automatically deleted. Please visit your xxx.com.sg Message Center to deliver valid email or delete messages you do not want.

Saturday, July 25, 2009

It is very important to discuss with your customers the reasons behind their requests. Let's be frank... Sometimes, they really have no idea what they want.

I have a customer who, until today, thinks that Sun Messaging Server utilizes the SendMail daemon on the Solaris OS to deliver emails.

How did I found out? Well, he called me 2 days ago: "We need to perform maintenance this weekend. We do not want our internal applications to deliver emails via our Sun Messaging Server during this period of time. So, can I just disable the SendMail daemon for the time being?"

I almost jumped off my chair. I do not feel sad for him. I feel sad for his employer. I feel that workers these days do not really spend their time reading up. They are just clocking hours. They have stopped asking "Why" which I used to do.

So, these days, I will usually ask the rationale behind any request. On times which I forgotten to ask, I found out I usually wasted a lot of time researching for them only to realize it does not fit their actual operational requirement.

Lesson learnt: Ask for business requirement first.

With the business requirement, try to resolve it with the technology available in their environment.

Friday, July 24, 2009

We implemented Sun Portal solution for a local university 3 years ago and are now maintaining their systems. It is designed with high availability in mind. Every component involved requires redundancy support.

Part of the maintenance contract requires us to patch any component as and when they are made available. We know that Sun Directory Server 6.3.1 has been released since Feb 2009. We are only given the green light to patch tonight. :) And no downtime is expected.

Looking at the architecture above, we know we need to take care of 2 dependency components:

Multi-Master Replication between the 2 Directory Servers

Sun Access Manager

As long as the 2 components are taken care of, everything should be fine.

Multi-Master Replication between the 2 Directory Servers

MMR is designed such that if one server crashes and recovers later, the replication mechanism will synchronize the 2 nodes back to identical state again. Not too worrying.

Sun Access Manager

The Users' information and Sun Access Manager configuration data are stored in Sun Directory Servers. If the connection from AM to DS is down, the AM will not work. And this implies the Portal will be down as well. Thus, it is very important that the Sun Directory service is always available.

Luckily, Sun Access Manager is designed such that we can designated a Primary and a Secondary Directory Server. So if one is unavailable, the other is always reachable.

So, it should not be a big problem for the patching to go ahead. We'll do it one node at a time, without disruption to the Portal service to the University users.

We took about 40 mins to finish the job. Below is the task list we followed closely:

0. Backup. Backup. Backup

1. Make sure portal is accessible via

https://node1.university.sg/portal/dt

https://node2.university.sg/portal/dt

2. Verify existing version is 6.0 on node2

root@node2 # ./dsadm -V

[slapd 32-bit]

Sun-Java(tm)-System-Directory/6.0 B2007.025.1834 32-bit

3. Stop dsins1 on node2

4. Make sure portal is accessible via

https://node1.university.sg/portal/dt

https://node2.university.sg/portal/dt

5. Patch on node2 using patchadd

root@node2 # patchadd /var/spool/patch/125278-08

6. Verify latest version on node2

root@node2 # /opt/SUNWdsee/ds6/bin/dsadm -V

[slapd 32-bit]

Sun-Java(tm)-System-Directory/6.3.1 B2008.1121.0308 32-bit

7. Start dsins1 on node2

8. Ensure replication continues to work between node1 (6.0) and node2 (6.3.1)

-> Need to wait a while for replication to be in-sync. DO NOT PANIC!!

9. Make sure portal is accessible via

https://node1.university.sg/portal/dt

https://node2.university.sg/portal/dt

10. Verify existing version is 6.0 on node1

root@node1 # ./dsadm -V

[slapd 32-bit]

Sun-Java(tm)-System-Directory/6.0 B2007.025.1834 32-bit

11. Stop dsins1 on node1

12. Make sure portal is accessible via

https://node1.university.sg/portal/dt

https://node2.university.sg/portal/dt

13. Patch on node1 using patchadd

root@node1 # patchadd /var/spool/patch/125278-08

14. Verify latest version on node1

root@node1 # /opt/SUNWdsee/ds6/bin/dsadm -V

[slapd 32-bit]

Sun-Java(tm)-System-Directory/6.3.1 B2008.1121.0308 32-bit

15. Start dsins1 on node1

16. Ensure replication continues to work between node1 (6.3.1) and node2 (6.3.1)

-> Need to wait a while for replication to be in-sync. DO NOT PANIC!!

17. Make sure portal is accessible via

https://node1.university.sg/portal/dt

https://node2.university.sg/portal/dt

If your organization requires a Portal solution, talk to us. We have an experienced team well-versed with Sun Portal technology. Not forgetting, LifeRay Portal technology. I'm reachable at cheechong @ azimuthlabs.com.sg

Wednesday, July 22, 2009

It's fairly simple if you have Nokia PC Suite installed on your Windows desktop. (I use Acer AspireOne netbook with XP at home)

Upon starting Nokia PC Suite, you will be notified of the latest firmware available.

See "A new software update is available for your phone. Click to update" above.

Well, I clicked on the hyperlink and after a series of click-click-click, I landed with the dialog prompt below:

Hmmm... Not a big issue... I plugged in my charger and I thought the complain will go away.

It did not. You need to really charge your battery first. Please remember.

I advise reading the following instruction once the update is done.

Now, what does the instruction say above? "... revert to factory default ..."

So, before you even get started with updating, please remember to perform a backup.

(Click on the top left button in your Nokia PC Suite)

This will enable you to restore your phone to it's original state prior to the update. If you forget o backup, I'm really sorry.

Oh... not forgetting to mention... SingNet download speed is faster than Starhub at this hour of the day (23:00hr). I failed twice trying to download the updates via Starhub. Luckily I have 2 links to choose from. *phew*

In the environment where the American bank operates, the same instance of Sun Messaging Server is to be utilized by a number of applications. e.g. Feedback application (online feedback form on their website), Broadcasting application (marketing purpose).

The bank considers the Feedback application as the most important. Definitely, customer service is very important.! That's what I always preach as well.

The Broadcasting application is used by the Marketing department in 10 counties around the Asia Pacific region. There will be days when more than 3-5 countries need to broadcast emails. Each country might send out around 100,000 - 200,000 emails. Sometimes, this happens at the same day around the same time.

When this happens, the delivery of feedback emails will be affected since both applications utilized the same shared resource.

They ask for my opinion. My reply below:

To ensure “fair sharing” of messaging service, it is sometimes necessary to limit the number of messages to be handled by the Messaging Server from a certain application (e.g. Broadcasting Application). This will ensure other applications have equal chances of sending out messages via the same Messaging Server. Metermaid comes in handy.

Tuesday, July 21, 2009

I was with a friend today for lunch. After lunch, he asked me to help him with setting up a development environment for Sun Java System Portal Server 7.1.

His company was engaged by a local Online Ticketing Service Provider for some change requests. The initial contract was to a big MNC, but they did not do a good job. Anyway, to his surprise, this service provider does not have a development environment for his engineers to work with. Thus, no choice... he, being always preaching for best practice, decided to set up the environment in his premise.

They spent numerous days, but are still not able to get an identical site set up. Thus, he asked for my help.

For your information, my experience with Sun Portal Server dated back to iPlanet Portal Server version 3. It has been 5 years. Sun Portal Server is now named as GlassFish Web Space Server. This version is not a continuous/enhancement update from previous ones. It is actually "OEM" from LifeRay Portal Server. A few portlets have been ported to Web Space Server, and that's about it. Not too much different from the default LifeRay installation.

So, back to the development environment setup, I advised his engineers on how to migrate the existing Display Profile from the production server. I also explained about the Authentication-less Anonymous Desktop and its associated Display Profile. Basically, just make sure of the following:

Organization Domain is the same

Portlets to be copied over and deployed on development server

Import display profile for default organization

Import display profile for authless anonymous user

Fairly simple.

When I was about to leave, one engineer asked whether or not is there a way to hide a certain tab from showing when a particular group of users log in.

He told me it was so easy to achieve this requirement using LifeRay. (Yes, they implement quite a number of LifeRay. But not Sun Portal Server)

What he needs to do in LifeRay is to navigate to Plugin Configuration and then assign the Role appropriately. Done. Single login; Integrated Administrative Module.

Yes, I do agree. I do LifeRay as well, since Sun has moved on to Glassfish Web Space Server. So, that's part of my job scope.

Anyway, I explained that the concept is slightly different in Sun Portal Server. It is basically driven by Display Profile.

When a user logs in, the Portal Server will check in the following sequence:

Does User Display Profile exist? If yes, render it.

Does Role Display Profile exist? If yes, render it.

Otherwise, render Organization Display Profile.

To fulfill his requirement, what he needs to do is to create a Role Display Profile. How to achieve that is more complicated:

1. Go to Sun Access Manager.

Define a new Role.

Assign users to this new Role.

2. Go to Sun Portal Server Console.

Search for the Role Display Profile.

Customize this Role Display Profile. (By default, without customizing, it will be the same as Organization Display Profile)

FYI, the EOL for Sun Java System Portal Server 7.1 is Nov 2009. If you are using this version of Portal Server and would require upgrade service, do send me an email (cheechong @ azimuthlabs.com.sg).

Friday, July 17, 2009

I spent the whole day debugging what went wrong with my customer's messaging setup. I had installed Sun Messaging Server for them last week. I configured and everything was working before I left this Tuesday.

Thursday, July 16, 2009

Yesterday, I mentioned that a Delete action via Delegated Admin will not remove/purge a user permanently in Sun Messaging Server. Read here.

This is where Sun Messaging Server differ from the other email products. A delete action does not actually remove/purge a user's mailbox, nor does it remove the user from the Directory Server. It merely set the inetUserStatus flag to "deleted".

I can provide one of the reasons why the product is built as such.

Sun Messaging Server is built with ISP in mind. As such, there must be a way for billing ($$$).

Can you see the "Billing ID" above?

For proper billing at the end of each month, all users (active or deleted) must be reflected correctly in the Sun Directory Server. Deleted Users should be purged only after this information is captured (usually via a Billing Application).

This is where Sun Messaging Server differ from the other email products. A delete action does not actually remove/purge a user's mailbox, nor does it remove the user from the Directory Server. It merely set the inetUserStatus flag to "deleted".

Sunday, July 12, 2009

In Solaris, there is this very nice feature called IPMP (IP Multipathing).

It is able to failover the IP address from one network card to the other when the primary fails. From the end-user point of view, it's transparent. Services continue and there's no downtime. This is nice!

IPMP is mandatory when Sun Cluster is configured.

Anyway, we were conducting UAT few days back and I observed this very weird output when both network cables are unplugged from the 2 network cards. We thought the IPMP was not configured properly. In fact, nothing was wrong.

In normal operational situation, you'll see the following output:

Now, we unplug the cable from e1000g0 interface. The output is still correct:

(Notice that the IP address 10.50.129.81 from e1000g0 has failover to bge0:1)

Let's proceed to unplug the cable from bge0 interface. Now, the output is misleading:

Why is bge0 and bge0:1 still showing UP? On the same machine, we can even perform a ping to 10.50.129.81/10.50.129.90 and they are still showing alive.

Very strange indeed. We were puzzled.

It's only some time later then we realized we did not take a detailed look at the output:

Although the UP flag is there, there is a FAILED flag behind which implies that the interface is indeed down.

We switched our test: bring bge0 down; then bring e1000g0 down. This time round, e1000g0 is showing the UP + FAILED flag. It's always the second interface to be brought in the IPMP group that will show this UP + FAILED flag.

We were having our UAT few days back with our National Healthcare customer here in Singapore.

They have SAP with Oracle running on Sun Cluster 3.2. There are 2 nodes which share a common storage SL500 connected via 2 pairs of Fibre Cables.

One of the test was to ensure that if the 2 fibre cables which are connected to a node are accidentially plug out, the resources running on that node should fail over to the other active node (which still has FC connection to the storage).

As this is a migration job for a hardware upgrade, they would like to use back the same UAT Test Cases from another vendor. (Actually I do not like this arrangement, really)

Nevertheless, we went ahead, but were stuck with this Total Fibre Cables Failure Test.

Instruction:

• Unplug both fibre cables from node nodeA and run “vxdctl enable” to rescan the devices, plug both cables after test.

• There will be error message on node nodeA's console showing link failure of both FC HBA port. After some time, the resource group, oracledb-rg, will failover to node nodeB.

We kept testing but the resource group simply refused to fail-over. We did, however, saw the link failure error message.

We debugged and we discussed. We wanted to know what was the actual expected result then. We were then told by the customer that he actually saw nodeA rebooting when the FC are taken out from nodeA. And this action actually causes the resource group to failover to nodeB.

The reboot_on_path_failure was set to "disabled" which means even if there is a FC path failure, no action is taken. (aka nodeA will not reboot; and if nodeA does not reboot, the resource group will not failover)

Tuesday, July 7, 2009

In my last post, I mentioned that I installed a fresh instance of Sun Java Mobile Communications Server (aka Synchronica Mobile Gateway).

Once the Communications Server is up, we need to configure our handsets. If you are using a Windows Mobile 5/6 or Palm 650/680/700p phones, then you're in luck! It's fairly easy to download the pre-packaged software into your handsets. If you have a SMS gateway integrated, you can even use the Communications Server Admin module to push the software to your handsets.

Sunday, July 5, 2009

Alright, I gave up on Funambol. Not that the software itself is no good, it's just that the integration component I needed wasn't there - Sun Java System Calendar Server support. (We still have a Zimbra server left after a PoC. Maybe I'll try to integrate Funambol with Zimbra connector next time to test it's usability)

This is something I like very much. You do not need a manual to complete administrative configuration. Most application software should be designed as such.

3. User handset configuration takes some time initially

This is where I'm stuck for a fairly long time. As I'm using Nokia E71 to test, there isn't any documentation for it. I did a fair bit of trial-n-error.

But once you get the right configuration, synchronization is a breeze. Really nice!

Special Note:

If you install Sun Application Server 9.1 U2, do remember to use JDK 1.5.0. I use JDK 1.5.0_14. Do not use JDK 1.6.0, it does not work! (I tried)

When configuring Sync in E71, key in http://ip-address/sync/. "/sync/" is required. (Even if your port is not 80. Ours is port 81. Kind of weird!)

Remote database for Contacts should be "Contacts"

Remote database for Calendar should be "Calendar"

There's no Tasks in E71. (Will "Notes" works? I do not know)

Overall, I'm a happy customer. I'll fully test the software for 90 days (free trial). Not forgetting, I'll have to download Synchronica Mobile Gateway Enterprise Edition to test if there's any difference. I bet it will.

My thai customer chatted me today. He explained that the password policy which we implemented some time back is such that user's password will expire every 30 days (typical of a bank). Once the password expires, user will not be allowed to login.

Now, he wants a feature such that there is a grace login limit such that even though password has expired, the Sun Directory Server still allows authentication to pass through.

Well, this request can be easily fulfilled with Sun Directory Server 6.2 onwards. The latest release implements New Password Policy - one of it being

A grace login limit, specified by the pwdGraceAuthNLimit attribute. This attribute specifies the number of times an expired password can be used to authenticate. If it is not present or if it is set to 0, authentication will fail.

However, do note that the compatibility mode needs to set to DS6-mode. By default, Sun Directory Server 6.x comes installed with DS5-compatible-mode.

My customer (the Singapore ministry one) called again today. It's regarding his newly migrated Exchange Server 2003. (Yes, 2003, not 2007. He's afraid to upgrade. I do not know why)

Today, the complain was that whenever he spawns the Exchange System Manager and accesses the Help, the ESM will crash. I asked him to try the ESM on the old Exchange Server. No problem, he said.

Hmm.. How can that be? I had ensure both ESM and Exchange are of the same patch level before I left.

After some investigation, we found out that the only difference between the 2 Exchange servers is the IE version. The old server has IE 6, while the new server has IE 7. A quick search in Microsoft Knowledge-Base pointed to

A conflict between the newer version of the Psapi.dll file that Internet Explorer 7 uses and the older version that Exchange System Manager uses

I'm left wondering why can't there be a hotfix for Exchange Server 2003 such that all cumulative fixes for bugs or conflicting .dll be packaged and released to all Exchange customers.

Wednesday, July 1, 2009

The company I work for focuses on Portal, Messaging, and Identity. While we implement a lot of solutions based on Sun technology, we do provide consultation and deploy technology from other vendors.

As long as it's Portal, Messaging and Identity.

For messaging alone, we are pretty comfortable with Sun Java System Messaging Server, Microsoft Exchange, Zimbra, Postfix and Sendmail.

Personally, I prefer Postfix over Sendmail. Our company used to provide email hosting based on Postfix, until we switched to Sun Messaging Server some time back.

Interestingly enough, a teleco in Singapore is using Sendmail as their MTA with Exchange as their backend. I configured the Sendmail for them, with integration to TrendMicro Anti-Virus/Anti-Spam engine.

As for Microsoft Exchange, I start to like it with Exchange 2007 onwards. I like the architecture for the new releases. I can't say the same about Exchange 2000/2003 though. :)

Anyway, I received a call from my customer (a ministry) that the Delivery Restrictions on their newly migrated Exchange Server 2003 is not working. As they have not purchased a support contract with us, we are not able to make a trip on-site to quickly resolve the issue.

It took quite a while to pin-point what had actually gone wrong remotely. It turned out that a registry key was not turned on while the migration was carried out. It was a rather rush job then. See here for detailed information.

Connector restriction checking is turned off by default because it can significantly affect performance to expand distribution groups and check the restrictions for each message that passes through the system. If possible, turn on this setting on where it is necessary (for example, on the bridgehead server for the restricted connector).